Nomad, a U.S.-based crypto firm, comes under the radar of hackers. Hackers stole $190M worth of digital assets by attacking Nomad’s cross-chain token bridge, making it this year’s second biggest digital heist.
Despite claiming to be a “security-first cross chain messaging protocol,” the hackers managed to find a loophole within the platform.
PeckShield security firm said that the funds compromised from the cross-chain were denominated in Ethereum, USDC, DAI, FXS, and CQT.
“It turns out that during a routine upgrade. The Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case, it had a tiny side effect of auto-proving every message,” explained Sam Sun, a researcher.
It was a “frenzied free-for-all” where “All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it,” said Sun.
Later, the team gave an update to the community on Twitter by saying: “We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics.”
Nomad is now trying to identify the hackers and recover the funds. The team also thanked white hat users who help safeguard the funds to avoid a further loss to wallet owners and the firm.
They asked the individuals to keep hold of the funds until they provide more instructions.